1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _IDMAPD_H 27 #define _IDMAPD_H 28 29 #include <stdio.h> 30 #include <stdlib.h> 31 #include <stdarg.h> 32 #include <rpc/rpc.h> 33 #include <synch.h> 34 #include <thread.h> 35 #include <libintl.h> 36 #include <strings.h> 37 #include <sqlite/sqlite.h> 38 #include <syslog.h> 39 #include <inttypes.h> 40 #include <rpcsvc/idmap_prot.h> 41 #include "adutils.h" 42 #include "idmap_priv.h" 43 #include "idmap_config.h" 44 #include "libadutils.h" 45 46 #ifdef __cplusplus 47 extern "C" { 48 #endif 49 50 #define SENTINEL_PID UINT32_MAX 51 #define CHECK_NULL(s) (s != NULL ? s : "null") 52 53 extern mutex_t _svcstate_lock; /* lock for _rpcsvcstate, _rpcsvccount */ 54 55 typedef enum idmap_namemap_mode { 56 IDMAP_NM_NONE = 0, 57 IDMAP_NM_AD, 58 IDMAP_NM_NLDAP, 59 IDMAP_NM_MIXED 60 } idmap_namemap_mode_t; 61 62 /* 63 * Global state of idmapd daemon. 64 */ 65 typedef struct idmapd_state { 66 rwlock_t rwlk_cfg; /* config lock */ 67 idmap_cfg_t *cfg; /* config */ 68 bool_t daemon_mode; 69 bool_t debug_mode; 70 char hostname[MAX_NAME_LEN]; /* my hostname */ 71 uid_t next_uid; 72 gid_t next_gid; 73 uid_t limit_uid; 74 gid_t limit_gid; 75 int new_eph_db; /* was the ephem ID db [re-]created? */ 76 int num_gcs; 77 adutils_ad_t **gcs; 78 int num_dcs; 79 adutils_ad_t **dcs; 80 } idmapd_state_t; 81 extern idmapd_state_t _idmapdstate; 82 83 #define RDLOCK_CONFIG() \ 84 (void) rw_rdlock(&_idmapdstate.rwlk_cfg); 85 #define WRLOCK_CONFIG() \ 86 (void) rw_wrlock(&_idmapdstate.rwlk_cfg); 87 #define UNLOCK_CONFIG() \ 88 (void) rw_unlock(&_idmapdstate.rwlk_cfg); 89 90 typedef struct hashentry { 91 uint_t key; 92 uint_t next; 93 } hashentry_t; 94 95 typedef struct lookup_state { 96 bool_t sid2pid_done; 97 bool_t pid2sid_done; 98 int ad_nqueries; 99 int nldap_nqueries; 100 bool_t eph_map_unres_sids; 101 int directory_based_mapping; /* enum */ 102 uint_t curpos; 103 hashentry_t *sid_history; 104 uint_t sid_history_size; 105 idmap_mapping_batch *batch; 106 idmap_ids_res *result; 107 idmap_namemap_mode_t nm_siduid; 108 idmap_namemap_mode_t nm_sidgid; 109 char *ad_unixuser_attr; 110 char *ad_unixgroup_attr; 111 char *nldap_winname_attr; 112 char *defdom; 113 sqlite *cache; 114 sqlite *db; 115 } lookup_state_t; 116 117 #define NLDAP_OR_MIXED(nm) \ 118 (nm == IDMAP_NM_NLDAP || nm == IDMAP_NM_MIXED) 119 #define AD_OR_MIXED(nm) \ 120 (nm == IDMAP_NM_AD || nm == IDMAP_NM_MIXED) 121 122 #define NLDAP_OR_MIXED_MODE(pidtype, ls) \ 123 ((pidtype == IDMAP_UID && NLDAP_OR_MIXED(ls->nm_siduid)) || \ 124 (pidtype == IDMAP_GID && NLDAP_OR_MIXED(ls->nm_sidgid))) 125 #define AD_OR_MIXED_MODE(pidtype, ls)\ 126 ((pidtype == IDMAP_UID && AD_OR_MIXED(ls->nm_siduid)) || \ 127 (pidtype == IDMAP_GID && AD_OR_MIXED(ls->nm_sidgid))) 128 #define NLDAP_MODE(pidtype, ls) \ 129 ((pidtype == IDMAP_UID && ls->nm_siduid == IDMAP_NM_NLDAP) || \ 130 (pidtype == IDMAP_GID && ls->nm_sidgid == IDMAP_NM_NLDAP)) 131 #define AD_MODE(pidtype, ls) \ 132 ((pidtype == IDMAP_UID && ls->nm_siduid == IDMAP_NM_AD) || \ 133 (pidtype == IDMAP_GID && ls->nm_sidgid == IDMAP_NM_AD)) 134 #define MIXED_MODE(pidtype, ls) \ 135 ((pidtype == IDMAP_UID && ls->nm_siduid == IDMAP_NM_MIXED) || \ 136 (pidtype == IDMAP_GID && ls->nm_sidgid == IDMAP_NM_MIXED)) 137 138 139 typedef struct list_cb_data { 140 void *result; 141 uint64_t next; 142 uint64_t len; 143 uint64_t limit; 144 int flag; 145 } list_cb_data_t; 146 147 typedef struct msg_table { 148 idmap_retcode retcode; 149 const char *msg; 150 } msg_table_t; 151 152 /* 153 * Data structure to store well-known SIDs and 154 * associated mappings (if any) 155 */ 156 typedef struct wksids_table { 157 const char *sidprefix; 158 uint32_t rid; 159 const char *domain; 160 const char *winname; 161 int is_wuser; 162 posix_id_t pid; 163 int is_user; 164 int direction; 165 } wksids_table_t; 166 167 #define IDMAPD_SEARCH_TIMEOUT 3 /* seconds */ 168 #define IDMAPD_LDAP_OPEN_TIMEOUT 1 /* secs; initial, w/ exp backoff */ 169 170 /* 171 * The following flags are used by idmapd while processing a 172 * given mapping request. Note that idmapd uses multiple passes to 173 * process the request and the flags are used to pass information 174 * about the state of the request between these passes. 175 */ 176 177 /* Initial state. Done. Reset all flags. Remaining passes can be skipped */ 178 #define _IDMAP_F_DONE 0x00000000 179 /* Set when subsequent passes are required */ 180 #define _IDMAP_F_NOTDONE 0x00000001 181 /* Don't update name_cache. (e.g. set when winname,SID found in name_cache) */ 182 #define _IDMAP_F_DONT_UPDATE_NAMECACHE 0x00000002 183 /* Batch this request for AD lookup */ 184 #define _IDMAP_F_LOOKUP_AD 0x00000004 185 /* Batch this request for nldap directory lookup */ 186 #define _IDMAP_F_LOOKUP_NLDAP 0x00000008 187 /* 188 * Expired ephemeral mapping found in cache when processing sid2uid request. 189 * Use it if the given SID cannot be mapped by name 190 */ 191 #define _IDMAP_F_EXP_EPH_UID 0x00000010 192 /* Same as above. Used for sid2gid request */ 193 #define _IDMAP_F_EXP_EPH_GID 0x00000020 194 /* This request is not valid for the current forest */ 195 #define _IDMAP_F_LOOKUP_OTHER_AD 0x00000040 196 197 198 /* 199 * Check if we are done. If so, subsequent passes can be skipped 200 * when processing a given mapping request. 201 */ 202 #define ARE_WE_DONE(f) ((f & _IDMAP_F_NOTDONE) == 0) 203 204 #define SIZE_INCR 5 205 #define MAX_TRIES 5 206 #define IDMAP_DBDIR "/var/idmap" 207 #define IDMAP_CACHEDIR "/var/run/idmap" 208 #define IDMAP_DBNAME IDMAP_DBDIR "/idmap.db" 209 #define IDMAP_CACHENAME IDMAP_CACHEDIR "/idmap.db" 210 211 #define IS_BATCH_SID(batch, i) \ 212 (batch.idmap_mapping_batch_val[i].id1.idtype == IDMAP_SID || \ 213 batch.idmap_mapping_batch_val[i].id1.idtype == IDMAP_USID || \ 214 batch.idmap_mapping_batch_val[i].id1.idtype == IDMAP_GSID) 215 216 #define IS_BATCH_UID(batch, i) \ 217 (batch.idmap_mapping_batch_val[i].id1.idtype == IDMAP_UID) 218 219 #define IS_BATCH_GID(batch, i) \ 220 (batch.idmap_mapping_batch_val[i].id1.idtype == IDMAP_GID) 221 222 #define IS_ID_SID(id) \ 223 ((id).idtype == IDMAP_SID || \ 224 (id).idtype == IDMAP_USID || \ 225 (id).idtype == IDMAP_GSID) \ 226 227 #define IS_REQUEST_SID(req, n) IS_ID_SID((req).id##n) 228 229 230 #define IS_REQUEST_UID(request) \ 231 ((request).id1.idtype == IDMAP_UID) 232 233 #define IS_REQUEST_GID(request) \ 234 ((request).id1.idtype == IDMAP_GID) 235 236 /* 237 * Local RID ranges 238 */ 239 #define LOCALRID_UID_MIN 1000U 240 #define LOCALRID_UID_MAX ((uint32_t)INT32_MAX) 241 #define LOCALRID_GID_MIN (((uint32_t)INT32_MAX) + 1) 242 #define LOCALRID_GID_MAX UINT32_MAX 243 244 typedef idmap_retcode (*update_list_res_cb)(void *, const char **, uint64_t); 245 typedef int (*list_svc_cb)(void *, int, char **, char **); 246 247 extern void idmap_prog_1(struct svc_req *, register SVCXPRT *); 248 extern void idmapdlog(int, const char *, ...); 249 extern int init_mapping_system(); 250 extern void fini_mapping_system(); 251 extern void print_idmapdstate(); 252 extern int create_directory(const char *, uid_t, gid_t); 253 extern int load_config(); 254 extern void reload_ad(); 255 extern int idmap_init_tsd_key(void); 256 extern void degrade_svc(int, const char *); 257 extern void restore_svc(void); 258 259 260 extern int init_dbs(); 261 extern void fini_dbs(); 262 extern idmap_retcode get_db_handle(sqlite **); 263 extern idmap_retcode get_cache_handle(sqlite **); 264 extern idmap_retcode sql_exec_no_cb(sqlite *, const char *, char *); 265 extern idmap_retcode add_namerule(sqlite *, idmap_namerule *); 266 extern idmap_retcode rm_namerule(sqlite *, idmap_namerule *); 267 extern idmap_retcode flush_namerules(sqlite *); 268 269 extern char *tolower_u8(const char *); 270 271 extern idmap_retcode gen_sql_expr_from_rule(idmap_namerule *, char **); 272 extern idmap_retcode validate_list_cb_data(list_cb_data_t *, int, 273 char **, int, uchar_t **, size_t); 274 extern idmap_retcode process_list_svc_sql(sqlite *, const char *, char *, 275 uint64_t, int, list_svc_cb, void *); 276 extern idmap_retcode sid2pid_first_pass(lookup_state_t *, 277 idmap_mapping *, idmap_id_res *); 278 extern idmap_retcode sid2pid_second_pass(lookup_state_t *, 279 idmap_mapping *, idmap_id_res *); 280 extern idmap_retcode pid2sid_first_pass(lookup_state_t *, 281 idmap_mapping *, idmap_id_res *, int); 282 extern idmap_retcode pid2sid_second_pass(lookup_state_t *, 283 idmap_mapping *, idmap_id_res *, int); 284 extern idmap_retcode update_cache_sid2pid(lookup_state_t *, 285 idmap_mapping *, idmap_id_res *); 286 extern idmap_retcode update_cache_pid2sid(lookup_state_t *, 287 idmap_mapping *, idmap_id_res *); 288 extern idmap_retcode get_u2w_mapping(sqlite *, sqlite *, idmap_mapping *, 289 idmap_mapping *, int); 290 extern idmap_retcode get_w2u_mapping(sqlite *, sqlite *, idmap_mapping *, 291 idmap_mapping *); 292 extern idmap_retcode load_cfg_in_state(lookup_state_t *); 293 extern void cleanup_lookup_state(lookup_state_t *); 294 295 extern idmap_retcode ad_lookup_batch(lookup_state_t *, 296 idmap_mapping_batch *, idmap_ids_res *); 297 extern idmap_retcode lookup_name2sid(sqlite *, const char *, const char *, 298 int *, char **, char **, char **, 299 idmap_rid_t *, idmap_mapping *, int); 300 extern idmap_retcode lookup_wksids_name2sid(const char *, const char *, 301 char **, char **, char **, idmap_rid_t *, 302 int *); 303 304 305 extern void idmap_log_stderr(int); 306 extern void idmap_log_syslog(boolean_t); 307 extern void idmap_log_degraded(boolean_t); 308 309 extern const wksids_table_t *find_wksid_by_pid(posix_id_t pid, int is_user); 310 extern const wksids_table_t *find_wksid_by_sid(const char *sid, int rid, 311 int type); 312 extern const wksids_table_t *find_wksid_by_name(const char *name, 313 const char *domain, int type); 314 extern const wksids_table_t *find_wk_by_sid(char *sid); 315 316 #ifdef __cplusplus 317 } 318 #endif 319 320 #endif /* _IDMAPD_H */ 321